F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.18 is mentioned.
Copyright (c) 1995 F-Secure Ltd.Contents 3/95
1994 WAS GOOD - 1995 LOOKS EVEN BETTER!
The Global Virus Situation
A Packet of 2800 Viruses in the Internet
Let the Good Times Roll
Dual_GTM in France
A New Version of Disinfectant Now Available
Viruses in the Wild
News in Short
F-Secure Ltd's Popular WWW Service
F-PROT Professional Praised by Monitor Magazine Slovenia
Hong Kong's First Hacker Case
Common Questions and Answers
Changes in F-PROT Professional version 2.18
1994 WAS GOOD - 1995 LOOKS EVEN BETTER!
F-PROT Professional has been quite a success. To illustrate
the development: F-PROT sales in Finland increased with 144%
during 1994 from the previous year. Export increased with
147%.
During the first three months of 1995 our F-PROT sales
outside Finland have grown with more than 250%. The growth
rate in sales in Finland is somewhat smaller than last year
but remains considerable.
Many large international companies have chosen F-PROT. Our
release of the first device driver-based full scanner has
made a considerable impact on the market. Our forthcoming
Windows NT version will be one of the first, as well.
F-Secure has been a profitable, debtfree company from
the first fiscal year 1989 onwards. We have never been in as
good a shape as now to take on the challenge in the evolving
anti-virus market.
The Global Virus SituationA Packet of 2800 Viruses in the Internet
In the middle of April, a private user in Canada made a
contribution to a usenet newsgroup dedicated to computer
viruses by sending there a ZIP file which contained over
2800 computer viruses. The newsgroup was accessible in
hundreds of thousands of computers all over the world.
However, the packet did not present an immediate threat,
since users had to decode and extract it first in order to
run the viruses and this doesn't happen automatically.
The packet raised a lively discussion about the freedom of
speech and its limits. There was also contention about
whether the spreading of such packets serves some purpose.
F-PROT is able to detect the 2806 viruses included in the
packet.
Let the Good Times Roll
In this year's first Update Bulletin, we published an
article about the "Good Times" virus hoax which was going on
in the Internet. The Good Times rumor was thought to be well
on its way to extinction, but it seems to have gained new
strength recently.
The Good Times hoax is based on warning messages which carry
the subject "Good Times". These messages warn about other
messages titled "Good Times", claiming that they contain a
dangerous virus which activates when the message is read.
Finally, the messages exhort users to spread the warning
message as widely as possible.
Despite extensive efforts to put a stop to Good Times, the
messages have continued to spread and multiply in numerous
e-mail systems worldwide. On some occasions, Good Times
warnings have even been published in newspapers and
broadcasted on radio.
As was to be expected, it did not take too long for virus
writers to realize how they could take advantage of the Good
Times rumor. In April, an Australian virus group known as
VLAD published a real PC virus called 'Good Times'. This
version of 'Good Times' is an ordinary file virus which
infects COM and EXE files. To further confuse the issue, the
following message is included in the viruse's source code:
; The act of loading the file
; into a mail server's ASCII
; buffer causes the "Good
; Times" mainline program to
; initialize and execute.
; Remember to email all your
; friends, warning them about
; Good Times!
For obvious reasons, anti-virus programs will not recognize
this virus by the name 'Good Times'. Instead, it has been
named 'GT-Spoof'. A similar incident took place also in the
beginning of 1993. It involved a rumor about a fictional
virus called 'Proto-T', which was soon followed by the real
thing. This incident was discussed in the F-PROT 2.07 Update
Bulletin.
Dual_GTM in France
Reported by Pierre Vandevenne, DataRescue, Belgium
The Dual_GTM virus is in the wild and has been reported in
France during May 95. It is memory resident COM and EXE file
infector. Programs are infected when they are executed.
Dual_GTM avoids infecting EXE files whose name begin with
SCAN, CLEA and QBAS. It's COM infection routine is buggy and
multiple infections of the same COM file are possible.
The code of the virus presents some irritating
characteristics _ the virus tries to avoid heuristic
scanners by doing it's things in non-obvious way. For
example, when it wants to move value 4200 to a register, it
will first move 4201 and then decrease the value of the
register by one.
The virus activates on the 20th of March if the year is
greater than 1993. At this time the virus beeps and displays
slowly the text: "Beware of the BUG !!!". After this the
virus hangs the machine. Otherwise the activation routine is
harmless; Dual_GTM's main danger lies in its buggy infection
routine that can corrupt the files it infects.
A New Version of Disinfectant Now Available
Things have been slow in the world of Macintosh viruses for
a long time, but the pace seems to be picking up again. In
April, a new variant of the old nVIR B virus was discovered
and dubbed CLAP. The capability to detect this virus has
been added to most Macintosh anti-virus programs. If there
are Macintosh workstations in your organization, you can
order an updated version of the Disinfectant anti-virus
program from your F-PROT distributor or directly from our F-
PROT Support without a separate charge.
Viruses in the Wild
According to the latest "Wildlist" statistic, the world's
most common viruses at the moment are AntiEXE.A,
Cascade.1701.A, Form.A, Green_Caterpillar.1575,
Jerusalem.1808.Standard.A, Joshi.A, Kampana.A,
Parity_Boot.B, Ripper, Stoned.Azusa.A,
Stoned.Empire.Monkey.B, Stoned.Michelangelo.A,
Stoned.Standard.A, Tequila.A and V-Sign.
The list of common viruses published in May contained
altogether 222 different viruses.
Wildlist is compiled and maintained by the IBM employee Joe
Wells (jwells@watson.ibm.com). In this, he is assisted by 30
anti-virus parties from all over the world, including Data
Fellows Ltd.
Wildlist is available from your local F-PROT distributor or
directly from F-Secure Ltd's F-PROT Support.
News in ShortF-Secure Ltd's Popular WWW Service
F-Secure Ltd's WWW service has proved very popular. Our
host server went on-line a year ago, and so far it has
served over 25000 visitors. We continue to welcome at:
http://www.datafellows.fi/
F-PROT Professional Praised by Monitor Magazine Slovenia
The Slovenian Monitor Magazine published comprehensive test of
anti-virus products in its April issue. F-PROT Professional was
proclaimed the editors' choice as a hands-down winner over the other
contestants. The technology used by F-PROT Gatekeeper was especially
praised. During 1995, F-PROT has also prospered in tests published
by the Virus Bulletin and SECURE Computing magazines, among others.
Hong Kong's First Hacker Case
Reported by Allan Dyer (adyer@yuikee.com.hk) of Yui Kee Co.
Ltd, Hong Kong:
Raymond Chen, son of a Hong Kong University lecturer, has
become Hong Kong's first convicted Internet Hacker. He was
convicted on three counts under the Telecommunications
Ordinance and ordered to pay fines and costs totaling
HK$45,000. The magistrate indicated his wish to deter
others, saying, "Although a deterrent sentence is not
usually imposed upon a first offender, there is no absolute
bar".
The offenses took place between August and October 1994, and
involved access to computers operated by Hong Kong
Polytechnic and Hong Kong University of Science and
Technology. After a monitoring operation, the Commercial
Crimes Bureau officers gained access to Mr. Chen's home
posing as neighbors concerned about a water leak, and seized
the computing equipment.
Raymond Chen is considering an appeal and claims he may have
been framed by the gay community: "I didn't do anything
except harass the fags and of course I harass them
mercilessly", referring to his activities on IRC. Chen
claimed he had been given the passwords to various friends'
accounts as "payment" for technical assistance. Police and
local Internet experts dismissed his claims of being framed.
Chen was not convicted under the Computer Crimes Ordinance,
as there was no evidence that he had any criminal or
dishonest intent in his unauthorized access.
Common Questions and Answers
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact F-Secure directly in the number +350-0-478
444.
Written questions can be mailed to: F-Secure Ltd, F-PROT
Support, Päiväntaite 8, 02210 ESPOO, FINLAND.
Questions can also be sent by electronic mail to: Internet:
f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma,
P=inet, A=mailnet C=fi;
Should DLL files be checked for viruses? I compared
different anti-virus programs and noticed that _ in addition
to the normal COM, EXE and overlay files _ some of them scan
also files with the DLL extension by default.
Under normal conditions, it is not worth the effort to check
DLL files. Including them in the virus check only slows down
scanning but does not really provide any additional
security.
DLL files are structurally similar to Windows EXE files.
They are divided into two separate parts: a basic DOS stub
and the actual Windows code section. The only purpose of the
DOS section is to print "This program requires Windows" or
something similar on the screen. Many DOS viruses
distinguish between COM and EXE files by checking whether
the file begins with the signature 'MZ'. DLL files contain
the MZ marker.
So far, no viruses which try to spread by infecting DLL
files have been found. However, DLL files may occasionally
contain viruses. This may be due to the following reasons:
1) The virus infects all files. For example, viruses which
belong to the Trivial family write their code on all files
located in the same directory.
2) The virus is meant to infect only normal program files,
but, due to a programming error, it also infects other
files, including DLLs.
3) The virus infects all executed files which contain the
EXE header. Since DLL files are never executed in the
traditional sense of the word, the only way to get a virus
to infect them is to change their file extension to EXE and
run them under DOS.
4) Some multipartite viruses monitor disk writes. Whenever a
sector beginning with an EXE header or the 'MZ' marker is
written to the disk, these viruses add their own code to it.
BootExe is one of these viruses. It may infect also DLL
files.
Cases 1) and 2) are not valid reasons for including DLL
files in particular in the virus scan. Such viruses will
also infect, for instance, TXT and XLS files, corrupting
them in the process. To find all copies of such viruses, it
is necessary to scan all files, including data files. In the
entries describing these viruses in F-PROT's virus database,
there are remainders about the necessity of a comprehensive
data file scan.
Cases 3) and 4) can be used as arguments for a DLL scan.
However, in such cases the virus will also infect all other
Windows files containing an EXE header. This means, for
example, all files with the extensions 386, CPL, DRV, FON,
FOT and VBX. These files are as likely to get infected as
DLL files, but there are no anti-virus programs which
include them in the scan by default.
The general rules about virus infections apply also to cases
involving DLL files. Normally, only program files should be
scanned. However, if a virus is found, ALL files should be
checked _ including DLLs and data files, just to be on the
safe side.
What happens to a DLL file if it is infected by a virus?
That depends on the structure of the original file. Since
viruses do not target DLL files in particular, the infection
usually damages the file so badly that an attempt to use it
leads to an error message. Even if the file remains
functional, the virus cannot spread from it under normal
conditions; the only way to get a virus to spread from such
a file is to change its extension to EXE and execute it
under DOS.
So far, no viruses which infect exclusively DLL files have
been found. There haven't even been cases where a virus
could spread from a DLL file without considerable help from
the user. Therefore, it is not necessary to include DLL
files in the virus scan.
Are there any viruses which can spread through GIF or JPG
files?
No. Next question, please.
Can viruses hide themselves in the video RAM or CMOS memory?
What about the memory of peripherals, such as printers or
modems?
Video RAM is structurally similar to normal PC computer
memory, so it is possible to execute programs in it. There
are known viruses that install themselves in video RAM.
However, this doesn't pose any special challenge to anti-
virus programs, as these viruses can readily be detected
from there.
CMOS memory is backed up with a battery, so it doesn't
disappear when you turn off the computer. However, CMOS is
very small and its contents never get executed. Thus, you
can't run any programs in it. There are viruses that do
corrupt the information in CMOS, but they can't hide in it.
Some printers and modems have non-volatile memory, but it is
not technically possible to write a program that would
"infect" that memory. Besides, such a program could not
spread from the peripheral back to the main PC.
Changes in F-PROT Professional version 2.18
Changes in F-PROT for DOS
The following problem has been corrected:
The virus No_of_the_Beast was not disinfected
correctly.
The following false alarm has been fixed:
The latest version of Mc Afee's CLEAN.DAT file contains
some unencrypted code taken from the November_17th virus,
and this caused F-PROT to give a false alarm. McAfee is
expected to correct this, but in the meantime F-PROT has
also been provided with the means to avoid giving a false
alarm of this file.
Minor Changes
Files infected by the Cybercide.1307 virus are usually
unable to start afterwards. F-PROT can now disinfect these
files also.
Changes in F-PROT for Windows
The default font size used by DFWIN has been changed.
The program now uses a font which has readable proportions.
This was a problem in some environments.
Installation support for TSR programs has been added to
Autoinst. For example, VIRSTOP.EXE can now be defined to be
installed from AUTOEXEC.BAT.
We have created a Windows version of the Autoinst
program. The program uses the same INI files as the DOS
version. The name of the program file is AUTOW31.EXE.
Autoinst supports the installation of F-PROT
Gatekeeper's F-PROTW.386 file from the local directory:
The setting "f-protw.386=" can be used for defining the F-
PROTW.386 device driver's path in SYSTEM.INI. When this
setting is used, the defined path _ instead of the
installation's destination directory _ will be added to
SYSTEM.INI. This makes it possible to load the device driver
from a different location than F-PROT Gatekeeper's other
files. For example:
[Gatekeeper]
f-protw.386=c:\f-protw.386
Autoinst will also write a corresponding setting to the F-
PROTW.INI file. Thus, the setting in SYSTEM.INI will remain
correct even when F-PROT Gatekeeper is activated from F-
Agent with a menu command.The setting is needed in
environments where networks disks become accessible only
after Windows is started.
New Viruses Detected by F-PROT 2.18
The following 31 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some
of them were detected by earlier versions of F-PROT, but not
identified accurately.
Explorer.3063
Fkiller
HLLO.3853
HLLO.4870.C
HLLO.8000
HLLO.14186
Itti.99.B
Leprosy.551
Leprosy.666.J
Leprosy.666.N
Leprosy.666.O
Leprosy.666.P
Leprosy.666.Q
Leprosy.999
Leprosy.BadCommand
Leprosy.Merci
Leprosy.YH.880
Quasar.523
Raving
Rush_Hour.A
Rush_Hour.B
Rush_Hour.C
Rush_Hour.D
Rush_Hour.E
Suriv-1.Lunch
Trivial.B&B
Trivial.Diddle
Trivial.FTW.101
Trivial.FTW.192
Trivial.Lame.98
Trivial.Lame.173
The following 258 new viruses can now be removed. Many of
them were detected by earlier versions, but are now
identified accurately.
_814
_935
_1106
_1203
_1320
_1376
Adin
Alphabet
Amazon.468
Amazon.479
Amazon.500
AT.160
Avalanche
Bengal.863
Better_World.G
Blava
Bobas
BootCom
Bua
Bupt.1261.B
BW.311
Cascade.1701.AD
Cascade.1701.AH
Cascade.1701.AI
CCC
Chukc.554
Chukc.838
CK.777
Clouds.588
Clouds.657
Clouds.718
Cluster.277
Croatia
Darv
Dead.979
Dead.1190
Dead.1459
Dead.1601
DK
Drag
DvD
Fax_Free.1536.Meco.D
Fax_Free.1536.New.A
Fax_Free.1536.New.B
Five_eights.609
Flash.688.E
Friday_the_13th.456
Fumble.801
Fumble.867.B
Funked.425
Funked.429
Glitch.407
Gondor
Green_Caterpillar.1575.J
Heja.623
HI.802
HI.892
HLL.4109
HLL.6176
HLL.Kasienka
HLL.Sauron
HLLC.10832
Immigrant
Insert
IVP.Angry_Samoans.593
IVP.Executor.429
IVP.Executor.460
IVP.Executor.473
IVP.Executor.507
IVP.Executor.522
IVP.Executor.583
IVP.Hot_Zone.561
IVP.Hot_Zone.815
IVP.Infesto.561
IVP.Infesto.604
IVP.Infesto.679
IVP.Infesto.697
IVP.Replico.317
IVP.Replico.324
IVP.Replico.350
IVP.Replico.352
IVP.Replico.357
IVP.Replico.390
IVP.Replico.392
IVP.Replico.422
IVP.Replico.462
IVP.Replico.478
IVP.Replico.495
Jerusalem.1808.Blank.E
Jerusalem.1808.new10
Jerusalem.1808.SuMsDos.AR
Jerusalem.Rulis
Kaczor
Kak
Kela.690
Keyb.667
Keyb.756
Keyb.873
Khiznjak
Lame.538
Liberty.2857.H
LPT-off.271
Lutil
Magda
Magdazie.1114
Marky
Marzia.P
Mephisto.654
Mephisto.1000
Mephisto.1242
Milikk
Ming.1262
Mnem.859
Morbid
Mr_Twister.453
Natas.4740
Natas.4766
New_model
Neither
No_frills.813
No_frills.815
November_17th.800.C
Npox.630
Number_of_the_Beast.AA
Number_of_the_Beast.AB
Olga
Peligro
Pendule.1059
Phalcon.Maria_K.1118
Pieck
Playgame.A
Playgame.B
Possessed.2167
Princeptor
PS-MPC.246
PS-MPC.574.G
PS-MPC.574.H
PS-MPC.582.A
PS-MPC.582.B
PS-MPC.583
PS-MPC.G2.Puppet
PS-MPC.Shrimp.358
PS-MPC.Shrimp.423
PS-MPC.Skeleton.591.A
PS-MPC.Skeleton.591.B
PS-MPC.Skeleton.591.C
PS-MPC.Skeleton.591.D
PS-MPC.Skeleton.592.A
PS-MPC.Skeleton.592.B
PS-MPC.Skeleton.592.C
PS-MPC.Skeleton.592.D
PS-MPC.Skeleton.592.E
PS-MPC.Skeleton.592.F
PS-MPC.Skeleton.592.G
PS-MPC.Skeleton.592.H
PS-MPC.Skeleton.592.I
PS-MPC.Skeleton.592.J
PS-MPC.Skeleton.592.K
PS-MPC.Skeleton.592.L
PS-MPC.Skeleton.592.M
PS-MPC.Skeleton.592.N
PS-MPC.Skeleton.592.O
PS-MPC.Skeleton.592.P
PS-MPC.Skeleton.592.Q
PS-MPC.Skeleton.593.A
PS-MPC.Skeleton.593.B
PS-MPC.Skeleton.593.C
PS-MPC.Skeleton.593.D
PS-MPC.Skeleton.593.E
PS-MPC.Skeleton.593.F
PS-MPC.Skeleton.596.A
PS-MPC.Skeleton.596.B
PS-MPC.Skeleton.596.C
PS-MPC.Skeleton.596.D
PS-MPC.Skeleton.597.A
PS-MPC.Skeleton.597.B
PS-MPC.Skeleton.597.C
PS-MPC.Skeleton.597.D
PS-MPC.Skeleton.597.E
PS-MPC.Skeleton.597.F
PS-MPC.Skeleton.597.G
PS-MPC.Skeleton.597.H
PS-MPC.Skeleton.597.I
PS-MPC.Skeleton.597.J
PS-MPC.Skeleton.597.K
PS-MPC.Skeleton.597.L
PS-MPC.Skeleton.597.M
PS-MPC.Skeleton.597.N
PS-MPC.Skeleton.597.O
PS-MPC.Skeleton.597.P
PS-MPC.Skeleton.598.A
PS-MPC.Skeleton.598.B
PS-MPC.Skeleton.598.C
PS-MPC.Skeleton.598.D
PS-MPC.Skeleton.598.E
PS-MPC.Skeleton.598.F
PS-MPC.Toys.762
Rex
Rosario
Sarampo
Select.1112
Select.1258
SillyC.106
SillyC.113
SillyC.126
SillyC.140
SillyC.155
SillyC.207.B
SillyC.292
SillyCER.263
SillyCER.266
SillyCR.122
SillyCR.132
SillyCR.178
Small_comp.85
Small_comp.87
Sofia.432
Sofia.528
Sphinx
Storm.1153.B
Svirus
Synergy
Tankar
Tigre
Timid.303.B
Tokyo.1258
Topa.2476
Trance
Trident.1313
Uneasy.658
UVR
Variable_Worm
Vbasic.H
Vbasic.I
VCL.380
VCL.417
VCL.Dad
VCL.Dummy
VCL.Fillo
Vcode.2262
VE.504
Vienna.574
Vienna.923
Virnn.1023
Virnn.1100
Viros
Volk.B
Volk.C
Waria
Wanderer.400.B
Wanderer.484
Witcode.1728
Xora
XTC
Yankee_Doodle.1223
Yesmile.4320
Yesmile.5504
Zor
The following 84 new viruses are now detected and identified
but can not yet be removed.
Alien.1976
Antipode
Ass
Attitude.723
Backform.2345
Backform.2381
Bad_Boy.1000.C
Bad_Boy.1041
Bad_Boy.1075
Bad_Boy.1135
Bandersnatch
Blueshark
Civil_Defense.A
Civil_Defense.B
Civil_Defense.C
Civil_Defense.D
Delwin.1199
DigDeath.958
DigDeath.963
Exe252
Exeheader.324
Exeheader.440
Father_Mac.306
Father_Mac.797
Father_Mac.838
Frida
Godzilla
Goomba
Halka.720
Hamburger
HWF
Jerusalem.CVEX.5120.B
Jerusalem.CVEX.5120.C
Jerusalem.CVEX.5120.D
Jerusalem.CVEX.5120.E
Jerusalem.CVEX.5120.F
Jerusalem.CVEX.5120.G
Jerusalem.CVEX.5120.H
Jerusalem.CVEX.5120.I
Jerusalem.CVEX.5120.J
June_12th,2695
Lame.435
MacGyver.3160
MacGyver.4112
MacGyver.4480
MacGyver.4643
MacGyver.4645
Mantis.1258
Marauder.855
Marbas
Mike.252
Mike.256
Mnem.918
Monarch
Mz1
Mzboot
Keko.1964
Keko.1990
Keko.2690
Mephisto.615
Mephisto.815
Mephisto.914
Mephisto.928
Mephisto.937
Mephisto.938
Norge
November_17th.1061
NRLG.776
NRLG.992
NRLG.1030
NRLG.1038
Olexy
Oops
Riot.Carpe_Diem.462
Riot.Carpe_Diem.1033
ShineAway
SillyCR.86
Socks
Stalker.310
Stalker.320
Uvst
Vlad.651
Vlad.692
Xuxa.1096
The following 9 new viruses are now detected, but not
identified. F-PROT will just report the virus family name
with a (?), or report the virus as "New or modified
variant", as it is not yet able to determine which variant
it is dealing with. Disinfection of these viruses is not yet
possible.
DR&ET
Dream
GT-spoof
K-hate
Rajaat.871
Maverick.A
Maverick.B
Maverick.C
Unfo
The following 6 viruses which were identified by earlier
versions can now be removed.
Clone
McGyver.2803.A
McGyver.2803.B
Necropolis.A
Necropolis.B
Necropolis.C
The following viruses have been renamed:
Pollution.* ->> Riot.Pollution.*
Carpe_Diem.* ->> Riot.Carpe_Diem.*
F-PROT Professional 2.18 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.18 is mentioned.
Copyright (c) 1995 F-Secure Ltd.